Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/scapy/layers/x509.py: 88%

1# SPDX-License-Identifier: GPL-2.0-only

2# This file is part of Scapy

3# See https://scapy.net/ for more information

4# Copyright (C) Philippe Biondi <phil@secdev.org>

5# Acknowledgment: Arnaud Ebalard & Maxence Tury

7# Cool history about this file: http://natisbad.org/scapy/index.html

9"""

10X.509 certificates, OCSP, CRL, CMS and other crypto-related ASN.1 structures

11"""

13from scapy.asn1.ber import BER_Decoding_Error

14from scapy.asn1.mib import conf # loads conf.mib

15from scapy.asn1.asn1 import (

16 ASN1_Codecs,

17 ASN1_IA5_STRING,

18 ASN1_OID,

19 ASN1_PRINTABLE_STRING,

20 ASN1_UTC_TIME,

21 ASN1_UTF8_STRING,

22)

23from scapy.asn1packet import ASN1_Packet

24from scapy.asn1fields import (

25 ASN1F_BIT_STRING_ENCAPS,

26 ASN1F_BIT_STRING,

27 ASN1F_BMP_STRING,

28 ASN1F_BOOLEAN,

29 ASN1F_CHOICE,

30 ASN1F_enum_INTEGER,

31 ASN1F_ENUMERATED,

32 ASN1F_field,

33 ASN1F_FLAGS,

34 ASN1F_GENERALIZED_TIME,

35 ASN1F_IA5_STRING,

36 ASN1F_INTEGER,

37 ASN1F_ISO646_STRING,

38 ASN1F_NULL,

39 ASN1F_OID,

40 ASN1F_omit,

41 ASN1F_optional,

42 ASN1F_PACKET,

43 ASN1F_PRINTABLE_STRING,

44 ASN1F_SEQUENCE_OF,

45 ASN1F_SEQUENCE,

46 ASN1F_SET_OF,

47 ASN1F_STRING_ENCAPS,

48 ASN1F_STRING_PacketField,

49 ASN1F_STRING,

50 ASN1F_T61_STRING,

51 ASN1F_UNIVERSAL_STRING,

52 ASN1F_UTC_TIME,

53 ASN1F_UTF8_STRING,

54)

55from scapy.packet import Packet

56from scapy.fields import (

57 MultipleTypeField,

58 PacketField,

59)

60from scapy.volatile import ZuluTime, GeneralizedTime

61from scapy.compat import plain_str

63from scapy.layers.tpm import KeyAttestationStatement

66class ASN1P_OID(ASN1_Packet):

67 ASN1_codec = ASN1_Codecs.BER

68 ASN1_root = ASN1F_OID("oid", "0")

71class ASN1P_INTEGER(ASN1_Packet):

72 ASN1_codec = ASN1_Codecs.BER

73 ASN1_root = ASN1F_INTEGER("number", 0)

76class ASN1P_PRIVSEQ(ASN1_Packet):

77 # This class gets used in x509.uts

78 # It showcases the private high-tag decoding capacities of scapy.

79 ASN1_codec = ASN1_Codecs.BER

80 ASN1_root = ASN1F_SEQUENCE(

81 ASN1F_IA5_STRING("str", ""),

82 ASN1F_STRING("int", 0),

83 explicit_tag=0,

84 flexible_tag=True)

87#######################

88# RSA packets #

89#######################

90# based on RFC 3447

92# It could be interesting to use os.urandom and try to generate

93# a new modulus each time RSAPublicKey is called with default values.

94# (We might have to dig into scapy field initialization mechanisms...)

95# NEVER rely on the key below, which is provided only for debugging purposes.

96class RSAPublicKey(ASN1_Packet):

97 ASN1_codec = ASN1_Codecs.BER

98 ASN1_root = ASN1F_SEQUENCE(

99 ASN1F_INTEGER("modulus", 10),

100 ASN1F_INTEGER("publicExponent", 3))

101

102

103class RSAOtherPrimeInfo(ASN1_Packet):

104 ASN1_codec = ASN1_Codecs.BER

105 ASN1_root = ASN1F_SEQUENCE(

106 ASN1F_INTEGER("prime", 0),

107 ASN1F_INTEGER("exponent", 0),

108 ASN1F_INTEGER("coefficient", 0))

109

110

111class RSAPrivateKey(ASN1_Packet):

112 ASN1_codec = ASN1_Codecs.BER

113 ASN1_root = ASN1F_SEQUENCE(

114 ASN1F_enum_INTEGER("version", 0, ["two-prime", "multi"]),

115 ASN1F_INTEGER("modulus", 10),

116 ASN1F_INTEGER("publicExponent", 3),

117 ASN1F_INTEGER("privateExponent", 3),

118 ASN1F_INTEGER("prime1", 2),

119 ASN1F_INTEGER("prime2", 5),

120 ASN1F_INTEGER("exponent1", 0),

121 ASN1F_INTEGER("exponent2", 3),

122 ASN1F_INTEGER("coefficient", 1),

123 ASN1F_optional(

124 ASN1F_SEQUENCE_OF("otherPrimeInfos", None,

125 RSAOtherPrimeInfo)))

126

127####################################

128# Diffie Hellman Packets #

129####################################

130# From X9.42 (or RFC3279)

131

132

133class ValidationParms(ASN1_Packet):

134 ASN1_codec = ASN1_Codecs.BER

135 ASN1_root = ASN1F_SEQUENCE(

136 ASN1F_BIT_STRING("seed", ""),

137 ASN1F_INTEGER("pgenCounter", 0),

138 )

139

140

141class DomainParameters(ASN1_Packet):

142 ASN1_codec = ASN1_Codecs.BER

143 ASN1_root = ASN1F_SEQUENCE(

144 ASN1F_INTEGER("p", 0),

145 ASN1F_INTEGER("g", 0),

146 ASN1F_INTEGER("q", 0),

147 ASN1F_optional(ASN1F_INTEGER("j", 0)),

148 ASN1F_optional(

149 ASN1F_PACKET("validationParms", None, ValidationParms),

150 ),

151 )

152

153

154class DHPublicKey(ASN1_Packet):

155 ASN1_codec = ASN1_Codecs.BER

156 ASN1_root = ASN1F_INTEGER("y", 0)

157

158

159####################################

160# ECDSA packets #

161####################################

162# based on RFC 3279 & 5480 & 5915

163

164

165class ECFieldID(ASN1_Packet):

166 # No characteristic-two-field support for now.

167 ASN1_codec = ASN1_Codecs.BER

168 ASN1_root = ASN1F_SEQUENCE(

169 ASN1F_OID("fieldType", "prime-field"),

170 ASN1F_INTEGER("prime", 0))

171

172

173class ECCurve(ASN1_Packet):

174 ASN1_codec = ASN1_Codecs.BER

175 ASN1_root = ASN1F_SEQUENCE(

176 ASN1F_STRING("a", ""),

177 ASN1F_STRING("b", ""),

178 ASN1F_optional(

179 ASN1F_BIT_STRING("seed", None)))

180

181

182class ECSpecifiedDomain(ASN1_Packet):

183 ASN1_codec = ASN1_Codecs.BER

184 ASN1_root = ASN1F_SEQUENCE(

185 ASN1F_enum_INTEGER("version", 1, {1: "ecpVer1"}),

186 ASN1F_PACKET("fieldID", ECFieldID(), ECFieldID),

187 ASN1F_PACKET("curve", ECCurve(), ECCurve),

188 ASN1F_STRING("base", ""),

189 ASN1F_INTEGER("order", 0),

190 ASN1F_optional(

191 ASN1F_INTEGER("cofactor", None)))

192

193

194class ECParameters(ASN1_Packet):

195 ASN1_codec = ASN1_Codecs.BER

196 ASN1_root = ASN1F_CHOICE("curve", ASN1_OID("ansip384r1"),

197 ASN1F_OID, # for named curves

198 ASN1F_NULL, # for implicit curves

199 ECSpecifiedDomain)

200

201

202class ECDSAPublicKey(ASN1_Packet):

203 ASN1_codec = ASN1_Codecs.BER

204 ASN1_root = ASN1F_BIT_STRING("ecPoint", "")

205

206

207class ECDSAPrivateKey(ASN1_Packet):

208 ASN1_codec = ASN1_Codecs.BER

209 ASN1_root = ASN1F_SEQUENCE(

210 ASN1F_enum_INTEGER("version", 1, {1: "ecPrivkeyVer1"}),

211 ASN1F_STRING("privateKey", ""),

212 ASN1F_optional(

213 ASN1F_PACKET("parameters", None, ECParameters,

214 explicit_tag=0xa0)),

215 ASN1F_optional(

216 ASN1F_PACKET("publicKey", None,

217 ECDSAPublicKey,

218 explicit_tag=0xa1)))

219

220

221class ECDSASignature(ASN1_Packet):

222 ASN1_codec = ASN1_Codecs.BER

223 ASN1_root = ASN1F_SEQUENCE(

224 ASN1F_INTEGER("r", 0),

225 ASN1F_INTEGER("s", 0))

226

227

228####################################

229# Diffie Hellman Exchange Packets #

230####################################

231# based on PKCS#3

232

233# PKCS#3 sect 9

234

235class DHParameter(ASN1_Packet):

236 ASN1_codec = ASN1_Codecs.BER

237 ASN1_root = ASN1F_SEQUENCE(

238 ASN1F_INTEGER("p", 0),

239 ASN1F_INTEGER("g", 0),

240 ASN1F_optional(

241 ASN1F_INTEGER("l", 0) # aka. 'privateValueLength'

242 ),

243 )

244

245

246####################################

247# x25519/x448 packets #

248####################################

249# based on RFC 8410

250

251class EdDSAPublicKey(ASN1_Packet):

252 ASN1_codec = ASN1_Codecs.BER

253 ASN1_root = ASN1F_BIT_STRING("ecPoint", "")

254

255

256class AlgorithmIdentifier(ASN1_Packet):

257 ASN1_codec = ASN1_Codecs.BER

258 ASN1_root = ASN1F_SEQUENCE(

259 ASN1F_OID("algorithm", None),

260 )

261

262

263class EdDSAPrivateKey(ASN1_Packet):

264 ASN1_codec = ASN1_Codecs.BER

265 ASN1_root = ASN1F_SEQUENCE(

266 ASN1F_enum_INTEGER("version", 1, {1: "ecPrivkeyVer1"}),

267 ASN1F_PACKET("privateKeyAlgorithm", AlgorithmIdentifier(), AlgorithmIdentifier),

268 ASN1F_STRING("privateKey", ""),

269 ASN1F_optional(

270 ASN1F_PACKET("publicKey", None,

271 ECDSAPublicKey,

272 explicit_tag=0xa1)))

273

274

275######################

276# X509 packets #

277######################

278# based on RFC 5280

279

280

281# Names #

282

283class ASN1F_X509_DirectoryString(ASN1F_CHOICE):

284 # we include ASN1 bit strings and bmp strings for rare instances of x500 addresses

285 def __init__(self, name, default, **kwargs):

286 ASN1F_CHOICE.__init__(self, name, default,

287 ASN1F_PRINTABLE_STRING, ASN1F_UTF8_STRING,

288 ASN1F_IA5_STRING, ASN1F_T61_STRING,

289 ASN1F_UNIVERSAL_STRING, ASN1F_BIT_STRING,

290 ASN1F_BMP_STRING,

291 **kwargs)

292

293

294# More details on attributes in PKCS#9

295_X509_ATTRIBUTE_TYPE = {}

296

297

298class _AttributeValue_Field(ASN1F_field):

299 def m2i(self, pkt, s):

300 # Some types have special structures

301 if pkt.underlayer:

302 attrType = pkt.underlayer.type.val

303 if attrType in _X509_ATTRIBUTE_TYPE:

304 return self.extract_packet(

305 _X509_ATTRIBUTE_TYPE[attrType],

306 s,

307 _underlayer=pkt,

308 )

309 try:

310 return super(_AttributeValue_Field, self).m2i(pkt, s)

311 except BER_Decoding_Error:

312 # Do not fail on special attributes

313 return s, b""

314

315 def i2m(self, pkt, x):

316 # The special structures should be just bytes()

317 if pkt.underlayer and pkt.underlayer.type.val in _X509_ATTRIBUTE_TYPE:

318 return bytes(x)

319 return super(_AttributeValue_Field, self).i2m(pkt, x)

320

321

322class X509_AttributeValue(ASN1_Packet):

323 ASN1_codec = ASN1_Codecs.BER

324 ASN1_root = _AttributeValue_Field("value", ASN1_PRINTABLE_STRING("FR"))

325

326

327class X509_Attribute(ASN1_Packet):

328 ASN1_codec = ASN1_Codecs.BER

329 ASN1_root = ASN1F_SEQUENCE(

330 ASN1F_OID("type", "2.5.4.6"),

331 ASN1F_SET_OF("values",

332 [X509_AttributeValue()],

333 X509_AttributeValue))

334

335

336class X509_AttributeTypeAndValue(ASN1_Packet):

337 ASN1_codec = ASN1_Codecs.BER

338 ASN1_root = ASN1F_SEQUENCE(

339 ASN1F_OID("type", "2.5.4.6"),

340 ASN1F_X509_DirectoryString("value",

341 ASN1_PRINTABLE_STRING("FR")))

342

343

344class X509_RDN(ASN1_Packet):

345 ASN1_codec = ASN1_Codecs.BER

346 ASN1_root = ASN1F_SET_OF("rdn", [X509_AttributeTypeAndValue()],

347 X509_AttributeTypeAndValue)

348

349

350class X509_OtherName(ASN1_Packet):

351 ASN1_codec = ASN1_Codecs.BER

352 ASN1_root = ASN1F_SEQUENCE(

353 ASN1F_OID("type_id", "0"),

354 ASN1F_CHOICE("value", None,

355 ASN1F_IA5_STRING, ASN1F_ISO646_STRING,

356 ASN1F_BMP_STRING, ASN1F_UTF8_STRING,

357 ASN1F_STRING,

358 explicit_tag=0xa0))

359

360

361class ASN1F_X509_otherName(ASN1F_SEQUENCE):

362 # field version of X509_OtherName, for usage in [MS-WCCE]

363 def __init__(self, **kargs):

364 seq = [ASN1F_SEQUENCE(*X509_OtherName.ASN1_root.seq,

365 implicit_tag=0xA0)]

366 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

367

368

369class X509_RFC822Name(ASN1_Packet):

370 ASN1_codec = ASN1_Codecs.BER

371 ASN1_root = ASN1F_IA5_STRING("rfc822Name", "")

372

373

374class X509_DNSName(ASN1_Packet):

375 ASN1_codec = ASN1_Codecs.BER

376 ASN1_root = ASN1F_IA5_STRING("dNSName", "")

377

378# XXX write me

379

380

381class X509_X400Address(ASN1_Packet):

382 ASN1_codec = ASN1_Codecs.BER

383 ASN1_root = ASN1F_field("x400Address", "")

384

385

386_default_directoryName = [

387 X509_RDN(),

388 X509_RDN(

389 rdn=[X509_AttributeTypeAndValue(

390 type=ASN1_OID("2.5.4.10"),

391 value=ASN1_PRINTABLE_STRING("Scapy, Inc."))]),

392 X509_RDN(

393 rdn=[X509_AttributeTypeAndValue(

394 type=ASN1_OID("2.5.4.3"),

395 value=ASN1_PRINTABLE_STRING("Scapy Default Name"))])

396]

397

398

399class X509_DirectoryName(ASN1_Packet):

400 ASN1_codec = ASN1_Codecs.BER

401 ASN1_root = ASN1F_SEQUENCE_OF("directoryName", _default_directoryName,

402 X509_RDN)

403

404

405class X509_EDIPartyName(ASN1_Packet):

406 ASN1_codec = ASN1_Codecs.BER

407 ASN1_root = ASN1F_SEQUENCE(

408 ASN1F_optional(

409 ASN1F_X509_DirectoryString("nameAssigner", None,

410 explicit_tag=0xa0)),

411 ASN1F_X509_DirectoryString("partyName", None,

412 explicit_tag=0xa1))

413

414

415class X509_URI(ASN1_Packet):

416 ASN1_codec = ASN1_Codecs.BER

417 ASN1_root = ASN1F_IA5_STRING("uniformResourceIdentifier", "")

418

419

420class X509_IPAddress(ASN1_Packet):

421 ASN1_codec = ASN1_Codecs.BER

422 ASN1_root = ASN1F_STRING("iPAddress", "")

423

424

425class X509_RegisteredID(ASN1_Packet):

426 ASN1_codec = ASN1_Codecs.BER

427 ASN1_root = ASN1F_OID("registeredID", "")

428

429

430class X509_GeneralName(ASN1_Packet):

431 ASN1_codec = ASN1_Codecs.BER

432 ASN1_root = ASN1F_CHOICE("generalName", X509_DirectoryName(),

433 ASN1F_PACKET("otherName", None, X509_OtherName,

434 implicit_tag=0xa0),

435 ASN1F_PACKET("rfc822Name", None, X509_RFC822Name,

436 implicit_tag=0x81),

437 ASN1F_PACKET("dNSName", None, X509_DNSName,

438 implicit_tag=0x82),

439 ASN1F_PACKET("x400Address", None, X509_X400Address, # noqa: E501

440 explicit_tag=0xa3),

441 ASN1F_PACKET("directoryName", None, X509_DirectoryName, # noqa: E501

442 explicit_tag=0xa4),

443 ASN1F_PACKET("ediPartyName", None, X509_EDIPartyName, # noqa: E501

444 explicit_tag=0xa5),

445 ASN1F_PACKET("uniformResourceIdentifier", None, X509_URI, # noqa: E501

446 implicit_tag=0x86),

447 ASN1F_PACKET("ipAddress", None, X509_IPAddress,

448 implicit_tag=0x87),

449 ASN1F_PACKET("registeredID", None, X509_RegisteredID, # noqa: E501

450 implicit_tag=0x88))

451

452

453# Extensions #

454

455class X509_ExtAuthorityKeyIdentifier(ASN1_Packet):

456 ASN1_codec = ASN1_Codecs.BER

457 ASN1_root = ASN1F_SEQUENCE(

458 ASN1F_optional(

459 ASN1F_STRING("keyIdentifier", b"\xff" * 20,

460 implicit_tag=0x80)),

461 ASN1F_optional(

462 ASN1F_SEQUENCE_OF("authorityCertIssuer", None,

463 X509_GeneralName,

464 implicit_tag=0xa1)),

465 ASN1F_optional(

466 ASN1F_INTEGER("authorityCertSerialNumber", None,

467 implicit_tag=0x82)))

468

469

470class X509_ExtSubjectDirectoryAttributes(ASN1_Packet):

471 ASN1_codec = ASN1_Codecs.BER

472 ASN1_root = ASN1F_SEQUENCE_OF("subjectDirectoryAttributes",

473 [X509_Attribute()],

474 X509_Attribute)

475

476

477class X509_ExtSubjectKeyIdentifier(ASN1_Packet):

478 ASN1_codec = ASN1_Codecs.BER

479 ASN1_root = ASN1F_STRING("keyIdentifier", "xff" * 20)

480

481

482class X509_ExtFullName(ASN1_Packet):

483 ASN1_codec = ASN1_Codecs.BER

484 ASN1_root = ASN1F_SEQUENCE_OF("fullName", [X509_GeneralName()],

485 X509_GeneralName, implicit_tag=0xa0)

486

487

488class X509_ExtNameRelativeToCRLIssuer(ASN1_Packet):

489 ASN1_codec = ASN1_Codecs.BER

490 ASN1_root = ASN1F_PACKET("nameRelativeToCRLIssuer", X509_RDN(), X509_RDN,

491 implicit_tag=0xa1)

492

493

494class X509_ExtDistributionPointName(ASN1_Packet):

495 ASN1_codec = ASN1_Codecs.BER

496 ASN1_root = ASN1F_CHOICE("distributionPointName", None,

497 X509_ExtFullName, X509_ExtNameRelativeToCRLIssuer)

498

499

500_reasons_mapping = ["unused",

501 "keyCompromise",

502 "cACompromise",

503 "affiliationChanged",

504 "superseded",

505 "cessationOfOperation",

506 "certificateHold",

507 "privilegeWithdrawn",

508 "aACompromise"]

509

510

511class X509_ExtDistributionPoint(ASN1_Packet):

512 ASN1_codec = ASN1_Codecs.BER

513 ASN1_root = ASN1F_SEQUENCE(

514 ASN1F_optional(

515 ASN1F_PACKET("distributionPoint",

516 X509_ExtDistributionPointName(),

517 X509_ExtDistributionPointName,

518 explicit_tag=0xa0)),

519 ASN1F_optional(

520 ASN1F_FLAGS("reasons", None, _reasons_mapping,

521 implicit_tag=0x81)),

522 ASN1F_optional(

523 ASN1F_SEQUENCE_OF("cRLIssuer", None,

524 X509_GeneralName,

525 implicit_tag=0xa2)))

526

527

528_ku_mapping = ["digitalSignature",

529 "nonRepudiation",

530 "keyEncipherment",

531 "dataEncipherment",

532 "keyAgreement",

533 "keyCertSign",

534 "cRLSign",

535 "encipherOnly",

536 "decipherOnly"]

537

538

539class X509_ExtKeyUsage(ASN1_Packet):

540 ASN1_codec = ASN1_Codecs.BER

541 ASN1_root = ASN1F_FLAGS("keyUsage", "101", _ku_mapping)

542

543 def get_keyUsage(self):

544 return self.ASN1_root.get_flags(self)

545

546

547class X509_ExtPrivateKeyUsagePeriod(ASN1_Packet):

548 ASN1_codec = ASN1_Codecs.BER

549 ASN1_root = ASN1F_SEQUENCE(

550 ASN1F_optional(

551 ASN1F_GENERALIZED_TIME("notBefore",

552 str(GeneralizedTime(-600)),

553 implicit_tag=0x80)),

554 ASN1F_optional(

555 ASN1F_GENERALIZED_TIME("notAfter",

556 str(GeneralizedTime(+86400)),

557 implicit_tag=0x81)))

558

559

560class X509_PolicyMapping(ASN1_Packet):

561 ASN1_codec = ASN1_Codecs.BER

562 ASN1_root = ASN1F_SEQUENCE(

563 ASN1F_OID("issuerDomainPolicy", None),

564 ASN1F_OID("subjectDomainPolicy", None))

565

566

567class X509_ExtPolicyMappings(ASN1_Packet):

568 ASN1_codec = ASN1_Codecs.BER

569 ASN1_root = ASN1F_SEQUENCE_OF("policyMappings", [], X509_PolicyMapping)

570

571

572class X509_ExtBasicConstraints(ASN1_Packet):

573 # The cA field should not be optional, but some certs omit it for False.

574 ASN1_codec = ASN1_Codecs.BER

575 ASN1_root = ASN1F_SEQUENCE(

576 ASN1F_optional(

577 ASN1F_BOOLEAN("cA", False)),

578 ASN1F_optional(

579 ASN1F_INTEGER("pathLenConstraint", None)))

580

581

582class X509_ExtCRLNumber(ASN1_Packet):

583 ASN1_codec = ASN1_Codecs.BER

584 ASN1_root = ASN1F_INTEGER("cRLNumber", 0)

585

586

587_cRL_reasons = ["unspecified",

588 "keyCompromise",

589 "cACompromise",

590 "affiliationChanged",

591 "superseded",

592 "cessationOfOperation",

593 "certificateHold",

594 "unused_reasonCode",

595 "removeFromCRL",

596 "privilegeWithdrawn",

597 "aACompromise"]

598

599

600class X509_ExtReasonCode(ASN1_Packet):

601 ASN1_codec = ASN1_Codecs.BER

602 ASN1_root = ASN1F_ENUMERATED("cRLReason", 0, _cRL_reasons)

603

604

605class X509_ExtDeltaCRLIndicator(ASN1_Packet):

606 ASN1_codec = ASN1_Codecs.BER

607 ASN1_root = ASN1F_INTEGER("deltaCRLIndicator", 0)

608

609

610class X509_ExtIssuingDistributionPoint(ASN1_Packet):

611 ASN1_codec = ASN1_Codecs.BER

612 ASN1_root = ASN1F_SEQUENCE(

613 ASN1F_optional(

614 ASN1F_PACKET("distributionPoint",

615 X509_ExtDistributionPointName(),

616 X509_ExtDistributionPointName,

617 explicit_tag=0xa0)),

618 ASN1F_BOOLEAN("onlyContainsUserCerts", False,

619 implicit_tag=0x81),

620 ASN1F_BOOLEAN("onlyContainsCACerts", False,

621 implicit_tag=0x82),

622 ASN1F_optional(

623 ASN1F_FLAGS("onlySomeReasons", None,

624 _reasons_mapping,

625 implicit_tag=0x83)),

626 ASN1F_BOOLEAN("indirectCRL", False,

627 implicit_tag=0x84),

628 ASN1F_BOOLEAN("onlyContainsAttributeCerts", False,

629 implicit_tag=0x85))

630

631

632class X509_ExtCertificateIssuer(ASN1_Packet):

633 ASN1_codec = ASN1_Codecs.BER

634 ASN1_root = ASN1F_SEQUENCE_OF("certificateIssuer", [], X509_GeneralName)

635

636

637class X509_ExtInvalidityDate(ASN1_Packet):

638 ASN1_codec = ASN1_Codecs.BER

639 ASN1_root = ASN1F_GENERALIZED_TIME("invalidityDate", str(ZuluTime(+86400)))

640

641

642class X509_ExtSubjectAltName(ASN1_Packet):

643 ASN1_codec = ASN1_Codecs.BER

644 ASN1_root = ASN1F_SEQUENCE_OF("subjectAltName", [], X509_GeneralName)

645

646

647class X509_ExtIssuerAltName(ASN1_Packet):

648 ASN1_codec = ASN1_Codecs.BER

649 ASN1_root = ASN1F_SEQUENCE_OF("issuerAltName", [], X509_GeneralName)

650

651

652class X509_ExtGeneralSubtree(ASN1_Packet):

653 # 'minimum' is not optional in RFC 5280, yet it is in some implementations.

654 ASN1_codec = ASN1_Codecs.BER

655 ASN1_root = ASN1F_SEQUENCE(

656 ASN1F_PACKET("base", X509_GeneralName(), X509_GeneralName),

657 ASN1F_optional(

658 ASN1F_INTEGER("minimum", None, implicit_tag=0x80)),

659 ASN1F_optional(

660 ASN1F_INTEGER("maximum", None, implicit_tag=0x81)))

661

662

663class X509_ExtNameConstraints(ASN1_Packet):

664 ASN1_codec = ASN1_Codecs.BER

665 ASN1_root = ASN1F_SEQUENCE(

666 ASN1F_optional(

667 ASN1F_SEQUENCE_OF("permittedSubtrees", None,

668 X509_ExtGeneralSubtree,

669 implicit_tag=0xa0)),

670 ASN1F_optional(

671 ASN1F_SEQUENCE_OF("excludedSubtrees", None,

672 X509_ExtGeneralSubtree,

673 implicit_tag=0xa1)))

674

675

676class X509_ExtPolicyConstraints(ASN1_Packet):

677 ASN1_codec = ASN1_Codecs.BER

678 ASN1_root = ASN1F_SEQUENCE(

679 ASN1F_optional(

680 ASN1F_INTEGER("requireExplicitPolicy", None,

681 implicit_tag=0x80)),

682 ASN1F_optional(

683 ASN1F_INTEGER("inhibitPolicyMapping", None,

684 implicit_tag=0x81)))

685

686

687class X509_ExtExtendedKeyUsage(ASN1_Packet):

688 ASN1_codec = ASN1_Codecs.BER

689 ASN1_root = ASN1F_SEQUENCE_OF("extendedKeyUsage", [], ASN1P_OID)

690

691 def get_extendedKeyUsage(self):

692 eku_array = self.extendedKeyUsage

693 return [eku.oid.oidname for eku in eku_array]

694

695

696class X509_ExtNoticeReference(ASN1_Packet):

697 ASN1_codec = ASN1_Codecs.BER

698 ASN1_root = ASN1F_SEQUENCE(

699 ASN1F_CHOICE("organization",

700 ASN1_UTF8_STRING("Dummy Organization"),

701 ASN1F_IA5_STRING, ASN1F_ISO646_STRING,

702 ASN1F_BMP_STRING, ASN1F_UTF8_STRING),

703 ASN1F_SEQUENCE_OF("noticeNumbers", [], ASN1P_INTEGER))

704

705

706class X509_ExtUserNotice(ASN1_Packet):

707 ASN1_codec = ASN1_Codecs.BER

708 ASN1_root = ASN1F_SEQUENCE(

709 ASN1F_optional(

710 ASN1F_PACKET("noticeRef", None,

711 X509_ExtNoticeReference)),

712 ASN1F_optional(

713 ASN1F_CHOICE("explicitText",

714 ASN1_UTF8_STRING("Dummy ExplicitText"),

715 ASN1F_IA5_STRING, ASN1F_ISO646_STRING,

716 ASN1F_BMP_STRING, ASN1F_UTF8_STRING)))

717

718

719class X509_ExtPolicyQualifierInfo(ASN1_Packet):

720 ASN1_codec = ASN1_Codecs.BER

721 ASN1_root = ASN1F_SEQUENCE(

722 ASN1F_OID("policyQualifierId", "1.3.6.1.5.5.7.2.1"),

723 ASN1F_CHOICE("qualifier", ASN1_IA5_STRING("cps_str"),

724 ASN1F_IA5_STRING, X509_ExtUserNotice))

725

726

727class X509_ExtPolicyInformation(ASN1_Packet):

728 ASN1_codec = ASN1_Codecs.BER

729 ASN1_root = ASN1F_SEQUENCE(

730 ASN1F_OID("policyIdentifier", "2.5.29.32.0"),

731 ASN1F_optional(

732 ASN1F_SEQUENCE_OF("policyQualifiers", None,

733 X509_ExtPolicyQualifierInfo)))

734

735

736class X509_ExtCertificatePolicies(ASN1_Packet):

737 ASN1_codec = ASN1_Codecs.BER

738 ASN1_root = ASN1F_SEQUENCE_OF("certificatePolicies",

739 [X509_ExtPolicyInformation()],

740 X509_ExtPolicyInformation)

741

742

743class X509_ExtCRLDistributionPoints(ASN1_Packet):

744 ASN1_codec = ASN1_Codecs.BER

745 ASN1_root = ASN1F_SEQUENCE_OF("cRLDistributionPoints",

746 [X509_ExtDistributionPoint()],

747 X509_ExtDistributionPoint)

748

749

750class X509_ExtInhibitAnyPolicy(ASN1_Packet):

751 ASN1_codec = ASN1_Codecs.BER

752 ASN1_root = ASN1F_INTEGER("skipCerts", 0)

753

754

755class X509_ExtFreshestCRL(ASN1_Packet):

756 ASN1_codec = ASN1_Codecs.BER

757 ASN1_root = ASN1F_SEQUENCE_OF("cRLDistributionPoints",

758 [X509_ExtDistributionPoint()],

759 X509_ExtDistributionPoint)

760

761

762class X509_AccessDescription(ASN1_Packet):

763 ASN1_codec = ASN1_Codecs.BER

764 ASN1_root = ASN1F_SEQUENCE(

765 ASN1F_OID("accessMethod", "0"),

766 ASN1F_PACKET("accessLocation", X509_GeneralName(),

767 X509_GeneralName))

768

769

770class X509_ExtAuthInfoAccess(ASN1_Packet):

771 ASN1_codec = ASN1_Codecs.BER

772 ASN1_root = ASN1F_SEQUENCE_OF("authorityInfoAccess",

773 [X509_AccessDescription()],

774 X509_AccessDescription)

775

776

777class X509_ExtQcStatement(ASN1_Packet):

778 ASN1_codec = ASN1_Codecs.BER

779 ASN1_root = ASN1F_SEQUENCE(

780 ASN1F_OID("statementId", "0.4.0.1862.1.1"),

781 ASN1F_optional(

782 ASN1F_field("statementInfo", None)))

783

784

785class X509_ExtQcStatements(ASN1_Packet):

786 ASN1_codec = ASN1_Codecs.BER

787 ASN1_root = ASN1F_SEQUENCE_OF("qcStatements",

788 [X509_ExtQcStatement()],

789 X509_ExtQcStatement)

790

791

792class X509_ExtSubjInfoAccess(ASN1_Packet):

793 ASN1_codec = ASN1_Codecs.BER

794 ASN1_root = ASN1F_SEQUENCE_OF("subjectInfoAccess",

795 [X509_AccessDescription()],

796 X509_AccessDescription)

797

798

799class X509_ExtNetscapeCertType(ASN1_Packet):

800 ASN1_codec = ASN1_Codecs.BER

801 ASN1_root = ASN1F_BIT_STRING("netscapeCertType", "")

802

803

804class X509_ExtComment(ASN1_Packet):

805 ASN1_codec = ASN1_Codecs.BER

806 ASN1_root = ASN1F_CHOICE("comment",

807 ASN1_UTF8_STRING("Dummy comment."),

808 ASN1F_IA5_STRING, ASN1F_ISO646_STRING,

809 ASN1F_BMP_STRING, ASN1F_UTF8_STRING)

810

811

812class X509_ExtCertificateTemplateName(ASN1_Packet):

813 ASN1_codec = ASN1_Codecs.BER

814 ASN1_root = ASN1F_BMP_STRING("Name", b"")

815

816

817class X509_ExtOidNTDSCaSecurity(ASN1_Packet):

818 ASN1_codec = ASN1_Codecs.BER

819 ASN1_root = ASN1F_X509_otherName()

820 type_id = ASN1_OID("1.3.6.1.4.1.311.25.2.1")

821 value = ASN1_UTF8_STRING("")

822

823

824# [MS-WCCE] sect 2.2.2.7.7.2

825

826class X509_ExtCertificateTemplateOID(ASN1_Packet):

827 ASN1_codec = ASN1_Codecs.BER

828 ASN1_root = ASN1F_SEQUENCE(

829 ASN1F_OID("templateID", "0"),

830 ASN1F_optional(

831 ASN1F_INTEGER("templateMajorVersion", 0),

832 ),

833 ASN1F_optional(

834 ASN1F_INTEGER("templateMinorVersion", 0),

835 ),

836 )

837

838

839# oid-info.com shows that some extensions share multiple OIDs.

840# Here we only reproduce those written in RFC5280.

841_ext_mapping = {

842 "2.5.29.9": X509_ExtSubjectDirectoryAttributes,

843 "2.5.29.14": X509_ExtSubjectKeyIdentifier,

844 "2.5.29.15": X509_ExtKeyUsage,

845 "2.5.29.16": X509_ExtPrivateKeyUsagePeriod,

846 "2.5.29.17": X509_ExtSubjectAltName,

847 "2.5.29.18": X509_ExtIssuerAltName,

848 "2.5.29.19": X509_ExtBasicConstraints,

849 "2.5.29.20": X509_ExtCRLNumber,

850 "2.5.29.21": X509_ExtReasonCode,

851 "2.5.29.24": X509_ExtInvalidityDate,

852 "2.5.29.27": X509_ExtDeltaCRLIndicator,

853 "2.5.29.28": X509_ExtIssuingDistributionPoint,

854 "2.5.29.29": X509_ExtCertificateIssuer,

855 "2.5.29.30": X509_ExtNameConstraints,

856 "2.5.29.31": X509_ExtCRLDistributionPoints,

857 "2.5.29.32": X509_ExtCertificatePolicies,

858 "2.5.29.33": X509_ExtPolicyMappings,

859 "2.5.29.35": X509_ExtAuthorityKeyIdentifier,

860 "2.5.29.36": X509_ExtPolicyConstraints,

861 "2.5.29.37": X509_ExtExtendedKeyUsage,

862 "2.5.29.46": X509_ExtFreshestCRL,

863 "2.5.29.54": X509_ExtInhibitAnyPolicy,

864 "2.16.840.1.113730.1.1": X509_ExtNetscapeCertType,

865 "2.16.840.1.113730.1.13": X509_ExtComment,

866 "1.3.6.1.4.1.311.20.2": X509_ExtCertificateTemplateName,

867 "1.3.6.1.4.1.311.21.7": X509_ExtCertificateTemplateOID,

868 "1.3.6.1.4.1.311.21.10": X509_ExtCertificatePolicies,

869 "1.3.6.1.4.1.311.25.2": X509_ExtOidNTDSCaSecurity,

870 "1.3.6.1.5.5.7.1.1": X509_ExtAuthInfoAccess,

871 "1.3.6.1.5.5.7.1.3": X509_ExtQcStatements,

872 "1.3.6.1.5.5.7.1.11": X509_ExtSubjInfoAccess

873}

874

875

876class _X509_ExtField(ASN1F_STRING_PacketField):

877 def m2i(self, pkt, s):

878 val = super(_X509_ExtField, self).m2i(pkt, s)

879 if not val[0].val:

880 return val

881 if pkt.extnID.val in _ext_mapping:

882 return (

883 _ext_mapping[pkt.extnID.val](val[0].val, _underlayer=pkt),

884 val[1],

885 )

886 return val

887

888

889class ASN1F_EXT_SEQUENCE(ASN1F_SEQUENCE):

890 def __init__(self, **kargs):

891 seq = [ASN1F_OID("extnID", "2.5.29.19"),

892 ASN1F_optional(

893 ASN1F_BOOLEAN("critical", False)),

894 _X509_ExtField("extnValue", X509_ExtBasicConstraints())]

895 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

896

897

898class X509_Extension(ASN1_Packet):

899 ASN1_codec = ASN1_Codecs.BER

900 ASN1_root = ASN1F_EXT_SEQUENCE()

901

902

903class X509_Extensions(ASN1_Packet):

904 # we use this in OCSP status requests, in tls/handshake.py

905 ASN1_codec = ASN1_Codecs.BER

906 ASN1_root = ASN1F_optional(

907 ASN1F_SEQUENCE_OF("extensions",

908 None, X509_Extension))

909

910

911# Aka 'ExtensionReq' in CMS

912_X509_ATTRIBUTE_TYPE["1.2.840.113549.1.9.14"] = X509_Extensions

913

914

915# Public key wrapper #

916

917class X509_AlgorithmIdentifier(ASN1_Packet):

918 ASN1_codec = ASN1_Codecs.BER

919 ASN1_root = ASN1F_SEQUENCE(

920 ASN1F_OID("algorithm", "1.2.840.113549.1.1.11"),

921 MultipleTypeField(

922 [

923 (

924 # RFC4055:

925 # "The correct encoding is to omit the parameters field"

926 # "All implementations MUST accept both NULL and absent

927 # parameters as legal and equivalent encodings."

928

929 # RFC8017:

930 # "should generally be omitted, but if present, it shall have a

931 # value of type NULL."

932 ASN1F_optional(ASN1F_NULL("parameters", None)),

933 lambda pkt: (

934 pkt.algorithm.val[:19] == "1.2.840.113549.1.1." or

935 pkt.algorithm.val[:21] == "2.16.840.1.101.3.4.2." or

936 pkt.algorithm.val[:11] == "1.3.14.3.2."

937 )

938 ),

939 (

940 # RFC5758:

941 # "the encoding MUST omit the parameters field"

942

943 # RFC8410:

944 # "For all of the OIDs, the parameters MUST be absent."

945 ASN1F_omit("parameters", None),

946 lambda pkt: (

947 pkt.algorithm.val[:16] == "1.2.840.10045.4." or

948 pkt.algorithm.val in ["1.3.101.112", "1.3.101.113"]

949 )

950 ),

951 # RFC5480

952 (

953 ASN1F_PACKET(

954 "parameters",

955 ECParameters(),

956 ECParameters,

957 ),

958 lambda pkt: pkt.algorithm.val == "1.2.840.10045.2.1",

959 ),

960 # RFC3279

961 (

962 ASN1F_PACKET(

963 "parameters",

964 DomainParameters(),

965 DomainParameters,

966 ),

967 lambda pkt: pkt.algorithm.val == "1.2.840.10046.2.1",

968 ),

969 # PKCS#3

970 (

971 ASN1F_PACKET(

972 "parameters",

973 DHParameter(),

974 DHParameter,

975 ),

976 lambda pkt: pkt.algorithm.val == "1.2.840.113549.1.3.1",

977 ),

978 # TripleDES

979 (

980 ASN1F_STRING(

981 "parameters",

982 "",

983 ),

984 lambda pkt: pkt.algorithm.val == "1.2.840.113549.3.7",

985 ),

986 ],

987 # Default: fail, probably. This is most likely unimplemented.

988 ASN1F_NULL("parameters", 0),

989 )

990 )

991

992

993class ASN1F_X509_SubjectPublicKeyInfo(ASN1F_SEQUENCE):

994 def __init__(self, **kargs):

995 seq = [ASN1F_PACKET("signatureAlgorithm",

996 X509_AlgorithmIdentifier(),

997 X509_AlgorithmIdentifier),

998 MultipleTypeField(

999 [

1000 (ASN1F_BIT_STRING_ENCAPS("subjectPublicKey",

1001 RSAPublicKey(),

1002 RSAPublicKey),

1003 lambda pkt: "rsa" in pkt.signatureAlgorithm.algorithm.oidname.lower()), # noqa: E501

1004 (ASN1F_PACKET("subjectPublicKey",

1005 ECDSAPublicKey(),

1006 ECDSAPublicKey),

1007 lambda pkt: "ecPublicKey" == pkt.signatureAlgorithm.algorithm.oidname), # noqa: E501

1008 (ASN1F_BIT_STRING_ENCAPS("subjectPublicKey",

1009 DHPublicKey(),

1010 DHPublicKey),

1011 lambda pkt: "dhpublicnumber" == pkt.signatureAlgorithm.algorithm.oidname), # noqa: E501

1012 (ASN1F_PACKET("subjectPublicKey",

1013 EdDSAPublicKey(),

1014 EdDSAPublicKey),

1015 lambda pkt: pkt.signatureAlgorithm.algorithm.oidname in ["Ed25519", "Ed448"]), # noqa: E501

1016 ],

1017 ASN1F_BIT_STRING("subjectPublicKey", ""))]

1018 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

1019

1020

1021class X509_SubjectPublicKeyInfo(ASN1_Packet):

1022 ASN1_codec = ASN1_Codecs.BER

1023 ASN1_root = ASN1F_X509_SubjectPublicKeyInfo()

1024

1025

1026# OpenSSL compatibility wrappers #

1027

1028# XXX As ECDSAPrivateKey already uses the structure from RFC 5958,

1029# and as we would prefer encapsulated RSA private keys to be parsed,

1030# this lazy implementation actually supports RSA encoding only.

1031# We'd rather call it RSAPrivateKey_OpenSSL than X509_PrivateKeyInfo.

1032class RSAPrivateKey_OpenSSL(ASN1_Packet):

1033 ASN1_codec = ASN1_Codecs.BER

1034 ASN1_root = ASN1F_SEQUENCE(

1035 ASN1F_enum_INTEGER("version", 0, ["v1", "v2"]),

1036 ASN1F_PACKET("privateKeyAlgorithm",

1037 X509_AlgorithmIdentifier(),

1038 X509_AlgorithmIdentifier),

1039 ASN1F_PACKET("privateKey",

1040 RSAPrivateKey(),

1041 RSAPrivateKey,

1042 explicit_tag=0x04),

1043 ASN1F_optional(

1044 ASN1F_PACKET("parameters", None, ECParameters,

1045 explicit_tag=0xa0)),

1046 ASN1F_optional(

1047 ASN1F_PACKET("publicKey", None,

1048 ECDSAPublicKey,

1049 explicit_tag=0xa1)))

1050

1051# We need this hack because ECParameters parsing below must return

1052# a Padding payload, and making the ASN1_Packet class have Padding

1053# instead of Raw payload would break things...

1054

1055

1056class _PacketFieldRaw(PacketField):

1057 def getfield(self, pkt, s):

1058 i = self.m2i(pkt, s)

1059 remain = ""

1060 if conf.raw_layer in i:

1061 r = i[conf.raw_layer]

1062 del r.underlayer.payload

1063 remain = r.load

1064 return remain, i

1065

1066

1067class ECDSAPrivateKey_OpenSSL(Packet):

1068 name = "ECDSA Params + Private Key"

1069 fields_desc = [_PacketFieldRaw("ecparam",

1070 ECParameters(),

1071 ECParameters),

1072 PacketField("privateKey",

1073 ECDSAPrivateKey(),

1074 ECDSAPrivateKey)]

1075

1076

1077# TBSCertificate & Certificate #

1078

1079_default_issuer = [

1080 X509_RDN(),

1081 X509_RDN(

1082 rdn=[X509_AttributeTypeAndValue(

1083 type=ASN1_OID("2.5.4.10"),

1084 value=ASN1_PRINTABLE_STRING("Scapy, Inc."))]),

1085 X509_RDN(

1086 rdn=[X509_AttributeTypeAndValue(

1087 type=ASN1_OID("2.5.4.3"),

1088 value=ASN1_PRINTABLE_STRING("Scapy Default Issuer"))])

1089]

1090

1091_default_subject = [

1092 X509_RDN(),

1093 X509_RDN(

1094 rdn=[X509_AttributeTypeAndValue(

1095 type=ASN1_OID("2.5.4.10"),

1096 value=ASN1_PRINTABLE_STRING("Scapy, Inc."))]),

1097 X509_RDN(

1098 rdn=[X509_AttributeTypeAndValue(

1099 type=ASN1_OID("2.5.4.3"),

1100 value=ASN1_PRINTABLE_STRING("Scapy Default Subject"))])

1101]

1102

1103

1104class _IssuerUtils:

1105 def get_issuer(self):

1106 attrs = self.issuer

1107 attrsDict = {}

1108 for attr in attrs:

1109 # we assume there is only one name in each rdn ASN1_SET

1110 attrsDict[attr.rdn[0].type.oidname] = plain_str(attr.rdn[0].value.val) # noqa: E501

1111 return attrsDict

1112

1113 def get_issuer_str(self):

1114 """

1115 Returns a one-line string containing every type/value

1116 in a rather specific order. sorted() built-in ensures unicity.

1117 """

1118 name_str = ""

1119 attrsDict = self.get_issuer()

1120 for attrType, attrSymbol in _attrName_mapping:

1121 if attrType in attrsDict:

1122 name_str += "/" + attrSymbol + "="

1123 name_str += attrsDict[attrType]

1124 for attrType in sorted(attrsDict):

1125 if attrType not in _attrName_specials:

1126 name_str += "/" + attrType + "="

1127 name_str += attrsDict[attrType]

1128 return name_str

1129

1130

1131class X509_Validity(ASN1_Packet):

1132 ASN1_codec = ASN1_Codecs.BER

1133 ASN1_root = ASN1F_SEQUENCE(

1134 ASN1F_CHOICE("not_before",

1135 ASN1_UTC_TIME(str(ZuluTime(-600))),

1136 ASN1F_UTC_TIME, ASN1F_GENERALIZED_TIME),

1137 ASN1F_CHOICE("not_after",

1138 ASN1_UTC_TIME(str(ZuluTime(+86400))),

1139 ASN1F_UTC_TIME, ASN1F_GENERALIZED_TIME))

1140

1141

1142_attrName_mapping = [

1143 ("countryName", "C"),

1144 ("stateOrProvinceName", "ST"),

1145 ("localityName", "L"),

1146 ("organizationName", "O"),

1147 ("organizationUnitName", "OU"),

1148 ("commonName", "CN")

1149]

1150_attrName_specials = [name for name, symbol in _attrName_mapping]

1151

1152

1153class X509_TBSCertificate(ASN1_Packet, _IssuerUtils):

1154 ASN1_codec = ASN1_Codecs.BER

1155 ASN1_root = ASN1F_SEQUENCE(

1156 ASN1F_optional(

1157 ASN1F_enum_INTEGER("version", 0x2, ["v1", "v2", "v3"],

1158 explicit_tag=0xa0)),

1159 ASN1F_INTEGER("serialNumber", 1),

1160 ASN1F_PACKET("signature",

1161 X509_AlgorithmIdentifier(),

1162 X509_AlgorithmIdentifier),

1163 ASN1F_SEQUENCE_OF("issuer", _default_issuer, X509_RDN),

1164 ASN1F_PACKET("validity",

1165 X509_Validity(),

1166 X509_Validity),

1167 ASN1F_SEQUENCE_OF("subject", _default_subject, X509_RDN),

1168 ASN1F_PACKET("subjectPublicKeyInfo",

1169 X509_SubjectPublicKeyInfo(),

1170 X509_SubjectPublicKeyInfo),

1171 ASN1F_optional(

1172 ASN1F_BIT_STRING("issuerUniqueID", None,

1173 implicit_tag=0x81)),

1174 ASN1F_optional(

1175 ASN1F_BIT_STRING("subjectUniqueID", None,

1176 implicit_tag=0x82)),

1177 ASN1F_optional(

1178 ASN1F_SEQUENCE_OF("extensions",

1179 [X509_Extension()],

1180 X509_Extension,

1181 explicit_tag=0xa3)))

1182

1183 def get_subject(self):

1184 attrs = self.subject

1185 attrsDict = {}

1186 for attr in attrs:

1187 # we assume there is only one name in each rdn ASN1_SET

1188 attrsDict[attr.rdn[0].type.oidname] = plain_str(attr.rdn[0].value.val) # noqa: E501

1189 return attrsDict

1190

1191 def get_subject_str(self):

1192 name_str = ""

1193 attrsDict = self.get_subject()

1194 for attrType, attrSymbol in _attrName_mapping:

1195 if attrType in attrsDict:

1196 name_str += "/" + attrSymbol + "="

1197 name_str += attrsDict[attrType]

1198 for attrType in sorted(attrsDict):

1199 if attrType not in _attrName_specials:

1200 name_str += "/" + attrType + "="

1201 name_str += attrsDict[attrType]

1202 return name_str

1203

1204

1205class ASN1F_X509_Cert(ASN1F_SEQUENCE):

1206 def __init__(self, **kargs):

1207 seq = [ASN1F_PACKET("tbsCertificate",

1208 X509_TBSCertificate(),

1209 X509_TBSCertificate),

1210 ASN1F_PACKET("signatureAlgorithm",

1211 X509_AlgorithmIdentifier(),

1212 X509_AlgorithmIdentifier),

1213 MultipleTypeField(

1214 [

1215 (ASN1F_BIT_STRING_ENCAPS("signatureValue",

1216 ECDSASignature(),

1217 ECDSASignature),

1218 lambda pkt: "ecdsa" in pkt.signatureAlgorithm.algorithm.oidname.lower()), # noqa: E501

1219 ],

1220 ASN1F_BIT_STRING("signatureValue",

1221 "defaultsignature" * 2))]

1222 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

1223

1224

1225class X509_Cert(ASN1_Packet):

1226 ASN1_codec = ASN1_Codecs.BER

1227 ASN1_root = ASN1F_X509_Cert()

1228

1229

1230# TBSCertList & CRL #

1231

1232class X509_RevokedCertificate(ASN1_Packet):

1233 ASN1_codec = ASN1_Codecs.BER

1234 ASN1_root = ASN1F_SEQUENCE(ASN1F_INTEGER("serialNumber", 1),

1235 ASN1F_UTC_TIME("revocationDate",

1236 str(ZuluTime(+86400))),

1237 ASN1F_optional(

1238 ASN1F_SEQUENCE_OF("crlEntryExtensions",

1239 None, X509_Extension)))

1240

1241

1242class X509_TBSCertList(ASN1_Packet, _IssuerUtils):

1243 ASN1_codec = ASN1_Codecs.BER

1244 ASN1_root = ASN1F_SEQUENCE(

1245 ASN1F_optional(

1246 ASN1F_enum_INTEGER("version", 1, ["v1", "v2"])),

1247 ASN1F_PACKET("signature",

1248 X509_AlgorithmIdentifier(),

1249 X509_AlgorithmIdentifier),

1250 ASN1F_SEQUENCE_OF("issuer", _default_issuer, X509_RDN),

1251 ASN1F_UTC_TIME("this_update", str(ZuluTime(-1))),

1252 ASN1F_optional(

1253 ASN1F_UTC_TIME("next_update", None)),

1254 ASN1F_optional(

1255 ASN1F_SEQUENCE_OF("revokedCertificates", None,

1256 X509_RevokedCertificate)),

1257 ASN1F_optional(

1258 ASN1F_SEQUENCE_OF("crlExtensions", None,

1259 X509_Extension,

1260 explicit_tag=0xa0)))

1261

1262

1263class ASN1F_X509_CRL(ASN1F_SEQUENCE):

1264 def __init__(self, **kargs):

1265 seq = [ASN1F_PACKET("tbsCertList",

1266 X509_TBSCertList(),

1267 X509_TBSCertList),

1268 ASN1F_PACKET("signatureAlgorithm",

1269 X509_AlgorithmIdentifier(),

1270 X509_AlgorithmIdentifier),

1271 MultipleTypeField(

1272 [

1273 (ASN1F_BIT_STRING_ENCAPS("signatureValue",

1274 ECDSASignature(),

1275 ECDSASignature),

1276 lambda pkt: "ecdsa" in pkt.signatureAlgorithm.algorithm.oidname.lower()), # noqa: E501

1277 ],

1278 ASN1F_BIT_STRING("signatureValue",

1279 "defaultsignature" * 2))]

1280 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

1281

1282

1283class X509_CRL(ASN1_Packet):

1284 ASN1_codec = ASN1_Codecs.BER

1285 ASN1_root = ASN1F_X509_CRL()

1286

1287

1288#####################

1289# CMS packets #

1290#####################

1291# based on RFC 3852

1292

1293CMSVersion = ASN1F_INTEGER

1294

1295# RFC3852 sect 5.2

1296

1297# Other layers should store the structures that can be encapsulated

1298# by CMS here, referred by their OIDs.

1299_CMS_ENCAPSULATED = {}

1300

1301

1302class _EncapsulatedContent_Field(ASN1F_STRING_PacketField):

1303 def m2i(self, pkt, s):

1304 val = super(_EncapsulatedContent_Field, self).m2i(pkt, s)

1305 if not val[0].val:

1306 return val

1307

1308 # Get encapsulated value from its type

1309 if pkt.eContentType.val in _CMS_ENCAPSULATED:

1310 return (

1311 _CMS_ENCAPSULATED[pkt.eContentType.val](val[0].val, _underlayer=pkt),

1312 val[1],

1313 )

1314

1315 return val

1316

1317

1318class CMS_EncapsulatedContentInfo(ASN1_Packet):

1319 ASN1_codec = ASN1_Codecs.BER

1320 ASN1_root = ASN1F_SEQUENCE(

1321 ASN1F_OID("eContentType", "0"),

1322 ASN1F_optional(

1323 _EncapsulatedContent_Field("eContent", None,

1324 explicit_tag=0xA0),

1325 ),

1326 )

1327

1328

1329# RFC3852 sect 10.2.1

1330

1331class CMS_RevocationInfoChoice(ASN1_Packet):

1332 ASN1_codec = ASN1_Codecs.BER

1333 ASN1_root = ASN1F_CHOICE(

1334 "crl", None,

1335 ASN1F_PACKET("crl", X509_CRL(), X509_Cert),

1336 # -- TODO: 1

1337 )

1338

1339

1340# RFC3852 sect 10.2.2

1341

1342class CMS_CertificateChoices(ASN1_Packet):

1343 ASN1_codec = ASN1_Codecs.BER

1344 ASN1_root = ASN1F_CHOICE(

1345 "certificate", None,

1346 ASN1F_PACKET("certificate", X509_Cert(), X509_Cert),

1347 # -- TODO: 0, 1, 2

1348 )

1349

1350

1351# RFC3852 sect 10.2.4

1352

1353class CMS_IssuerAndSerialNumber(ASN1_Packet, _IssuerUtils):

1354 ASN1_codec = ASN1_Codecs.BER

1355 ASN1_root = ASN1F_SEQUENCE(

1356 ASN1F_SEQUENCE_OF("issuer", _default_issuer, X509_RDN),

1357 ASN1F_INTEGER("serialNumber", 0)

1358 )

1359

1360

1361# RFC3852 sect 10.2.7

1362

1363class CMS_OtherKeyAttribute(ASN1_Packet):

1364 ASN1_codec = ASN1_Codecs.BER

1365 ASN1_root = ASN1F_SEQUENCE(

1366 ASN1F_OID("keyAttrId", "0"),

1367 ASN1F_field("keyAttr", 0),

1368 )

1369

1370

1371# RFC3852 sect 5.3

1372

1373

1374class CMS_SubjectKeyIdentifier(ASN1_Packet):

1375 ASN1_codec = ASN1_Codecs.BER

1376 ASN1_root = ASN1F_STRING("sid", "")

1377

1378

1379class CMS_SignerInfo(ASN1_Packet):

1380 ASN1_codec = ASN1_Codecs.BER

1381 ASN1_root = ASN1F_SEQUENCE(

1382 CMSVersion("version", 1),

1383 ASN1F_CHOICE(

1384 "sid",

1385 CMS_IssuerAndSerialNumber(),

1386 ASN1F_PACKET("sid", CMS_IssuerAndSerialNumber(),

1387 CMS_IssuerAndSerialNumber),

1388 ASN1F_PACKET("sid", CMS_SubjectKeyIdentifier(),

1389 CMS_SubjectKeyIdentifier,

1390 implicit_tag=0x80),

1391 ),

1392 ASN1F_PACKET("digestAlgorithm", X509_AlgorithmIdentifier(),

1393 X509_AlgorithmIdentifier),

1394 ASN1F_optional(

1395 ASN1F_SET_OF(

1396 "signedAttrs",

1397 None,

1398 X509_Attribute,

1399 implicit_tag=0xA0,

1400 )

1401 ),

1402 ASN1F_PACKET("signatureAlgorithm", X509_AlgorithmIdentifier(),

1403 X509_AlgorithmIdentifier),

1404 ASN1F_STRING("signature", ASN1_UTF8_STRING("")),

1405 ASN1F_optional(

1406 ASN1F_SET_OF(

1407 "unsignedAttrs",

1408 None,

1409 X509_Attribute,

1410 implicit_tag=0xA1,

1411 )

1412 )

1413 )

1414

1415

1416# RFC3852 sect 5.4

1417

1418class CMS_SignedAttrsForSignature(ASN1_Packet):

1419 ASN1_codec = ASN1_Codecs.BER

1420 ASN1_root = ASN1F_SET_OF(

1421 "signedAttrs",

1422 None,

1423 X509_Attribute,

1424 )

1425

1426

1427# RFC3852 sect 5.1

1428

1429class CMS_SignedData(ASN1_Packet):

1430 ASN1_codec = ASN1_Codecs.BER

1431 ASN1_root = ASN1F_SEQUENCE(

1432 CMSVersion("version", 1),

1433 ASN1F_SET_OF("digestAlgorithms", [], X509_AlgorithmIdentifier),

1434 ASN1F_PACKET("encapContentInfo", CMS_EncapsulatedContentInfo(),

1435 CMS_EncapsulatedContentInfo),

1436 ASN1F_optional(

1437 ASN1F_SET_OF(

1438 "certificates",

1439 None,

1440 CMS_CertificateChoices,

1441 implicit_tag=0xA0,

1442 )

1443 ),

1444 ASN1F_optional(

1445 ASN1F_SET_OF(

1446 "crls",

1447 None,

1448 CMS_RevocationInfoChoice,

1449 implicit_tag=0xA1,

1450 )

1451 ),

1452 ASN1F_SET_OF(

1453 "signerInfos",

1454 [],

1455 CMS_SignerInfo,

1456 ),

1457 )

1458

1459

1460# RFC3852 sect 6.2.1

1461

1462class CMS_KeyTransRecipientInfo(ASN1_Packet):

1463 ASN1_codec = ASN1_Codecs.BER

1464 ASN1_root = ASN1F_SEQUENCE(

1465 CMSVersion("version", 0),

1466 ASN1F_CHOICE(

1467 "rid",

1468 CMS_IssuerAndSerialNumber(),

1469 ASN1F_PACKET("rid", CMS_IssuerAndSerialNumber(),

1470 CMS_IssuerAndSerialNumber),

1471 ASN1F_PACKET("rid", CMS_SubjectKeyIdentifier(),

1472 CMS_SubjectKeyIdentifier,

1473 implicit_tag=0x80),

1474 ),

1475 ASN1F_PACKET("keyEncryptionAlgorithm",

1476 X509_AlgorithmIdentifier(),

1477 X509_AlgorithmIdentifier),

1478 ASN1F_STRING("encryptedKey", ""),

1479 )

1480

1481

1482# RFC3852 sect 6.2.2

1483

1484class CMS_OriginatorPublicKey(ASN1_Packet):

1485 ASN1_codec = ASN1_Codecs.BER

1486 ASN1_root = ASN1F_SEQUENCE(

1487 ASN1F_PACKET("algorithm",

1488 X509_AlgorithmIdentifier(),

1489 X509_AlgorithmIdentifier),

1490 ASN1F_BIT_STRING("publicKey", ""),

1491 )

1492

1493

1494class CMS_OriginatorIdentifierOrKey(ASN1_Packet):

1495 ASN1_codec = ASN1_Codecs.BER

1496 ASN1_root = ASN1F_CHOICE(

1497 "originator",

1498 CMS_IssuerAndSerialNumber(),

1499 ASN1F_PACKET("issuerAndSerialNumber", CMS_IssuerAndSerialNumber(),

1500 CMS_IssuerAndSerialNumber),

1501 ASN1F_PACKET("subjectKeyIdentifier", CMS_SubjectKeyIdentifier(),

1502 CMS_SubjectKeyIdentifier,

1503 implicit_tag=0x80),

1504 ASN1F_PACKET("originatorKey", CMS_OriginatorPublicKey(),

1505 CMS_OriginatorPublicKey,

1506 implicit_tag=0xA1),

1507 )

1508

1509

1510class CMS_RecipientEncryptedKey(ASN1_Packet):

1511 ASN1_codec = ASN1_Codecs.BER

1512 ASN1_root = ASN1F_SEQUENCE(

1513 ASN1F_PACKET("subjectKeyIdentifier", CMS_SubjectKeyIdentifier(),

1514 CMS_SubjectKeyIdentifier),

1515 ASN1F_optional(

1516 ASN1F_GENERALIZED_TIME("date", ""),

1517 ),

1518 ASN1F_optional(

1519 ASN1F_PACKET("other", CMS_OtherKeyAttribute(), CMS_OtherKeyAttribute),

1520 ),

1521 )

1522

1523

1524class CMS_KeyAgreeRecipientInfo(ASN1_Packet):

1525 ASN1_codec = ASN1_Codecs.BER

1526 ASN1_root = ASN1F_SEQUENCE(

1527 CMSVersion("version", 3),

1528 ASN1F_PACKET("originator", CMS_OriginatorIdentifierOrKey(),

1529 CMS_OriginatorIdentifierOrKey,

1530 explicit_tag=0xA0),

1531 ASN1F_optional(

1532 ASN1F_STRING("ukm", None, "",

1533 explicit_tag=0x81),

1534 ),

1535 ASN1F_PACKET("keyEncryptionAlgorithm",

1536 X509_AlgorithmIdentifier(),

1537 X509_AlgorithmIdentifier),

1538 ASN1F_SEQUENCE_OF("recipientEncryptedKeys", [], CMS_RecipientEncryptedKey),

1539 )

1540

1541

1542# RFC3852 sect 6.2

1543

1544class CMS_RecipientInfo(ASN1_Packet):

1545 ASN1_codec = ASN1_Codecs.BER

1546 ASN1_root = ASN1F_CHOICE(

1547 "recipientInfo",

1548 CMS_KeyTransRecipientInfo(),

1549 ASN1F_PACKET("ktri", CMS_KeyTransRecipientInfo(), CMS_KeyTransRecipientInfo),

1550 ASN1F_PACKET("kari", CMS_KeyAgreeRecipientInfo(), CMS_KeyAgreeRecipientInfo,

1551 implicit_tag=0xA1),

1552 )

1553

1554

1555# RFC3852 sect 6.1

1556

1557class CMS_OriginatorInfo(ASN1_Packet):

1558 ASN1_codec = ASN1_Codecs.BER

1559 ASN1_root = ASN1F_SEQUENCE(

1560 ASN1F_optional(

1561 ASN1F_SET_OF(

1562 "certs",

1563 None,

1564 CMS_CertificateChoices,

1565 implicit_tag=0xA0,

1566 )

1567 ),

1568 ASN1F_optional(

1569 ASN1F_SET_OF(

1570 "crls",

1571 None,

1572 CMS_RevocationInfoChoice,

1573 implicit_tag=0xA1,

1574 )

1575 ),

1576 )

1577

1578

1579class CMS_EncryptedContentInfo(ASN1_Packet):

1580 ASN1_codec = ASN1_Codecs.BER

1581 ASN1_root = ASN1F_SEQUENCE(

1582 ASN1F_OID("contentType", "1.2.840.113549.1.7.2"),

1583 ASN1F_PACKET("contentEncryptionAlgorithm",

1584 X509_AlgorithmIdentifier(),

1585 X509_AlgorithmIdentifier),

1586 ASN1F_optional(

1587 ASN1F_STRING("encryptedContent", "",

1588 implicit_tag=0x80),

1589 )

1590 )

1591

1592

1593class CMS_EnvelopedData(ASN1_Packet):

1594 ASN1_codec = ASN1_Codecs.BER

1595 ASN1_root = ASN1F_SEQUENCE(

1596 CMSVersion("version", 1),

1597 ASN1F_optional(

1598 ASN1F_PACKET("originatorInfo", None, CMS_OriginatorInfo,

1599 implicit_tag=0xA0),

1600 ),

1601 ASN1F_SET_OF("recipientInfos", CMS_RecipientInfo(), CMS_RecipientInfo),

1602 ASN1F_PACKET("encryptedContentInfo", CMS_EncryptedContentInfo(),

1603 CMS_EncryptedContentInfo),

1604 ASN1F_optional(

1605 ASN1F_SET_OF("unprotectedAttrs", [], X509_Attribute,

1606 implicit_tag=0xA1),

1607 )

1608 )

1609

1610

1611# RFC3852 sect 3

1612

1613class CMS_ContentInfo(ASN1_Packet):

1614 ASN1_codec = ASN1_Codecs.BER

1615 ASN1_root = ASN1F_SEQUENCE(

1616 ASN1F_OID("contentType", "1.2.840.113549.1.7.2"),

1617 MultipleTypeField(

1618 [

1619 (

1620 ASN1F_PACKET("content", None, CMS_SignedData,

1621 explicit_tag=0xA0),

1622 lambda pkt: pkt.contentType.oidname == "id-signedData"

1623 ),

1624 (

1625 ASN1F_PACKET("content", None, CMS_EnvelopedData,

1626 explicit_tag=0xA0),

1627 lambda pkt: pkt.contentType.oidname == "id-envelopedData"

1628 ),

1629 ],

1630 ASN1F_BIT_STRING("content", "", explicit_tag=0xA0)

1631 )

1632 )

1633

1634

1635#####################

1636# CSR packets #

1637#####################

1638

1639# based on PKCS#10 #

1640

1641

1642class PKCS10_CertificationRequestInfo(ASN1_Packet):

1643 ASN1_codec = ASN1_Codecs.BER

1644 ASN1_root = ASN1F_SEQUENCE(

1645 ASN1F_INTEGER("version", 0),

1646 ASN1F_SEQUENCE_OF("subject", _default_subject, X509_RDN),

1647 ASN1F_PACKET("subjectPublicKeyInfo",

1648 X509_SubjectPublicKeyInfo(),

1649 X509_SubjectPublicKeyInfo),

1650 ASN1F_SET_OF("attributes", [], X509_Attribute,

1651 implicit_tag=0xA0),

1652 )

1653

1654 get_subject = X509_TBSCertificate.get_subject

1655 get_subject_str = X509_TBSCertificate.get_subject_str

1656

1657

1658class PKCS10_CertificationRequest(ASN1_Packet):

1659 ASN1_codec = ASN1_Codecs.BER

1660 ASN1_root = ASN1F_SEQUENCE(

1661 ASN1F_PACKET("certificationRequestInfo", PKCS10_CertificationRequestInfo(),

1662 PKCS10_CertificationRequestInfo),

1663 ASN1F_PACKET("signatureAlgorithm", X509_AlgorithmIdentifier(),

1664 X509_AlgorithmIdentifier),

1665 ASN1F_BIT_STRING("signature", ASN1F_BIT_STRING("", "")),

1666 )

1667

1668

1669# based on CMC #

1670

1671# RFC 5272 sect 3.2.1.1

1672

1673class CMC_TaggedAttribute(ASN1_Packet):

1674 ASN1_codec = ASN1_Codecs.BER

1675 ASN1_root = ASN1F_SEQUENCE(

1676 ASN1F_INTEGER("bodyPartID", 0),

1677 ASN1F_OID("type", "0"), # attrType for compat

1678 ASN1F_SET_OF("attrValues", [], X509_AttributeValue),

1679 )

1680

1681

1682# RFC 5272 sect 3.2.1.2.1

1683

1684class CMC_TaggedCertificationRequest(ASN1_Packet):

1685 ASN1_codec = ASN1_Codecs.BER

1686 ASN1_root = ASN1F_SEQUENCE(

1687 ASN1F_INTEGER("bodyPartID", 0),

1688 ASN1F_PACKET("certificationRequest", PKCS10_CertificationRequest(),

1689 PKCS10_CertificationRequest)

1690 )

1691

1692

1693# RFC 5272 sect 3.2.1.2

1694

1695class CMC_TaggedRequest(ASN1_Packet):

1696 ASN1_codec = ASN1_Codecs.BER

1697 ASN1_root = ASN1F_CHOICE(

1698 "request", CMC_TaggedCertificationRequest(),

1699 ASN1F_PACKET("tcr", CMC_TaggedCertificationRequest(),

1700 CMC_TaggedCertificationRequest,

1701 implicit_tag=0xA0),

1702 # XXX there are others

1703 )

1704

1705

1706# RFC 5272 sect 3.2.1.3

1707

1708class CMC_TaggedContentInfo(ASN1_Packet):

1709 ASN1_codec = ASN1_Codecs.BER

1710 ASN1_root = ASN1F_SEQUENCE(

1711 ASN1F_INTEGER("bodyPartID", 0),

1712 ASN1F_PACKET("contentInfo", CMS_ContentInfo(),

1713 CMS_ContentInfo)

1714 )

1715

1716

1717# RFC 5272 sect 3.2.1.4

1718

1719class CMC_OtherMsg(ASN1_Packet):

1720 ASN1_codec = ASN1_Codecs.BER

1721 ASN1_root = ASN1F_SEQUENCE(

1722 ASN1F_INTEGER("bodyPartID", 0),

1723 ASN1F_OID("otherMsgType", "0"),

1724 ASN1F_field("otherMsgValue", ""),

1725 )

1726

1727

1728# RFC 5272 sect 3.2.1

1729

1730class CMC_PKIData(ASN1_Packet):

1731 ASN1_codec = ASN1_Codecs.BER

1732 ASN1_root = ASN1F_SEQUENCE(

1733 ASN1F_SEQUENCE_OF("controlSequence", [], CMC_TaggedAttribute),

1734 ASN1F_SEQUENCE_OF("reqSequence", [], CMC_TaggedRequest),

1735 ASN1F_SEQUENCE_OF("cmsSequence", [], CMC_TaggedContentInfo),

1736 ASN1F_SEQUENCE_OF("otherMsgSequence", [], CMC_OtherMsg),

1737 )

1738

1739

1740_CMS_ENCAPSULATED["1.3.6.1.5.5.7.12.2"] = CMC_PKIData

1741

1742

1743# Windows extensions #

1744

1745# https://learn.microsoft.com/en-us/windows/win32/seccertenroll/cmc-extensions

1746

1747class CMC_AddExtensions(ASN1_Packet):

1748 ASN1_codec = ASN1_Codecs.BER

1749 ASN1_root = ASN1F_SEQUENCE(

1750 ASN1F_INTEGER("pkiDataReference", 0),

1751 ASN1F_SEQUENCE_OF("certReferences", [], ASN1F_INTEGER),

1752 ASN1F_PACKET("extensions", X509_Extensions(), X509_Extensions),

1753 )

1754

1755

1756_X509_ATTRIBUTE_TYPE["1.3.6.1.5.5.7.7.8"] = CMC_AddExtensions

1757

1758

1759# https://learn.microsoft.com/en-us/windows/win32/seccertenroll/cmc-attributes

1760

1761class CMC_AddAttributes(ASN1_Packet):

1762 ASN1_codec = ASN1_Codecs.BER

1763 ASN1_root = ASN1F_SEQUENCE(

1764 ASN1F_INTEGER("pkiDataReference", 0),

1765 ASN1F_SEQUENCE_OF("certReferences", [], ASN1F_INTEGER),

1766 ASN1F_SET_OF("attributes", X509_Attribute(), X509_Attribute),

1767 )

1768

1769

1770_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.10.10.1"] = CMC_AddAttributes

1771

1772

1773# [MS-WCCE] sect 2.2.2.7.2

1774

1775class CMC_ENROLLMENT_CSP_PROVIDER(ASN1_Packet):

1776 ASN1_codec = ASN1_Codecs.BER

1777 ASN1_root = ASN1F_SEQUENCE(

1778 ASN1F_INTEGER("KeySpec", 0),

1779 ASN1F_BMP_STRING("ProviderName", ""),

1780 ASN1F_BIT_STRING("Signature", ""),

1781 )

1782

1783

1784_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.13.2.2"] = CMC_ENROLLMENT_CSP_PROVIDER

1785

1786

1787# [MS-WCCE] sect 2.2.2.7.4

1788

1789class CMC_REQUEST_CLIENT_INFO(ASN1_Packet):

1790 ASN1_codec = ASN1_Codecs.BER

1791 ASN1_root = ASN1F_SEQUENCE(

1792 ASN1F_INTEGER("clientId", 0),

1793 ASN1F_UTF8_STRING("MachineName", ""),

1794 ASN1F_UTF8_STRING("UserName", ""),

1795 ASN1F_UTF8_STRING("ProcessName", ""),

1796 )

1797

1798

1799_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.21.20"] = CMC_REQUEST_CLIENT_INFO

1800

1801

1802# [MS-WCCE] sect 2.2.2.7.10

1803

1804class CMC_EnrollmentNameValuePair(ASN1_Packet):

1805 ASN1_codec = ASN1_Codecs.BER

1806 ASN1_root = ASN1F_SEQUENCE(

1807 ASN1F_BMP_STRING("Name", ""),

1808 ASN1F_BMP_STRING("Value", ""),

1809 )

1810

1811

1812_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.13.2.1"] = CMC_EnrollmentNameValuePair

1813

1814

1815# [MS-WCCE] sect 2.2.2.7.12

1816

1817class CMC_ENROLL_ATTESTATION_STATEMENT(ASN1_Packet):

1818 ASN1_codec = ASN1_Codecs.BER

1819 ASN1_root = ASN1F_STRING_ENCAPS("kas", KeyAttestationStatement(),

1820 KeyAttestationStatement)

1821

1822

1823_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.21.24"] = CMC_ENROLL_ATTESTATION_STATEMENT

1824

1825

1826# [MS-WCCE] sect 2.2.2.7.13

1827

1828_X509_ATTRIBUTE_TYPE["1.3.6.1.4.1.311.21.23"] = CMS_ContentInfo

1829

1830

1831#############################

1832# OCSP Status packets #

1833#############################

1834# based on RFC 6960

1835

1836class OCSP_CertID(ASN1_Packet):

1837 ASN1_codec = ASN1_Codecs.BER

1838 ASN1_root = ASN1F_SEQUENCE(

1839 ASN1F_PACKET("hashAlgorithm",

1840 X509_AlgorithmIdentifier(),

1841 X509_AlgorithmIdentifier),

1842 ASN1F_STRING("issuerNameHash", ""),

1843 ASN1F_STRING("issuerKeyHash", ""),

1844 ASN1F_INTEGER("serialNumber", 0))

1845

1846

1847class OCSP_GoodInfo(ASN1_Packet):

1848 ASN1_codec = ASN1_Codecs.BER

1849 ASN1_root = ASN1F_NULL("info", 0)

1850

1851

1852class OCSP_RevokedInfo(ASN1_Packet):

1853 ASN1_codec = ASN1_Codecs.BER

1854 ASN1_root = ASN1F_SEQUENCE(

1855 ASN1F_GENERALIZED_TIME("revocationTime", ""),

1856 ASN1F_optional(

1857 ASN1F_PACKET("revocationReason", None,

1858 X509_ExtReasonCode,

1859 explicit_tag=0xa0)))

1860

1861

1862class OCSP_UnknownInfo(ASN1_Packet):

1863 ASN1_codec = ASN1_Codecs.BER

1864 ASN1_root = ASN1F_NULL("info", 0)

1865

1866

1867class OCSP_CertStatus(ASN1_Packet):

1868 ASN1_codec = ASN1_Codecs.BER

1869 ASN1_root = ASN1F_CHOICE("certStatus", None,

1870 ASN1F_PACKET("good", OCSP_GoodInfo(),

1871 OCSP_GoodInfo, implicit_tag=0x80),

1872 ASN1F_PACKET("revoked", OCSP_RevokedInfo(),

1873 OCSP_RevokedInfo, implicit_tag=0xa1),

1874 ASN1F_PACKET("unknown", OCSP_UnknownInfo(),

1875 OCSP_UnknownInfo, implicit_tag=0x82))

1876

1877

1878class OCSP_SingleResponse(ASN1_Packet):

1879 ASN1_codec = ASN1_Codecs.BER

1880 ASN1_root = ASN1F_SEQUENCE(

1881 ASN1F_PACKET("certID", OCSP_CertID(), OCSP_CertID),

1882 ASN1F_PACKET("certStatus", OCSP_CertStatus(certStatus=OCSP_GoodInfo()),

1883 OCSP_CertStatus),

1884 ASN1F_GENERALIZED_TIME("thisUpdate", ""),

1885 ASN1F_optional(

1886 ASN1F_GENERALIZED_TIME("nextUpdate", "",

1887 explicit_tag=0xa0)),

1888 ASN1F_optional(

1889 ASN1F_SEQUENCE_OF("singleExtensions", None,

1890 X509_Extension,

1891 explicit_tag=0xa1)))

1892

1893

1894class OCSP_ByName(ASN1_Packet):

1895 ASN1_codec = ASN1_Codecs.BER

1896 ASN1_root = ASN1F_SEQUENCE_OF("byName", [], X509_RDN)

1897

1898

1899class OCSP_ByKey(ASN1_Packet):

1900 ASN1_codec = ASN1_Codecs.BER

1901 ASN1_root = ASN1F_STRING("byKey", "")

1902

1903

1904class OCSP_ResponderID(ASN1_Packet):

1905 ASN1_codec = ASN1_Codecs.BER

1906 ASN1_root = ASN1F_CHOICE("responderID", None,

1907 ASN1F_PACKET("byName", OCSP_ByName(), OCSP_ByName,

1908 explicit_tag=0xa1),

1909 ASN1F_PACKET("byKey", OCSP_ByKey(), OCSP_ByKey,

1910 explicit_tag=0xa2))

1911

1912

1913class OCSP_ResponseData(ASN1_Packet):

1914 ASN1_codec = ASN1_Codecs.BER

1915 ASN1_root = ASN1F_SEQUENCE(

1916 ASN1F_optional(

1917 ASN1F_enum_INTEGER("version", 0, {0: "v1"},

1918 explicit_tag=0x80)),

1919 ASN1F_PACKET("responderID", OCSP_ResponderID(responderID=OCSP_ByName()),

1920 OCSP_ResponderID),

1921 ASN1F_GENERALIZED_TIME("producedAt",

1922 str(GeneralizedTime())),

1923 ASN1F_SEQUENCE_OF("responses", [], OCSP_SingleResponse),

1924 ASN1F_optional(

1925 ASN1F_SEQUENCE_OF("responseExtensions", None,

1926 X509_Extension,

1927 explicit_tag=0xa1)))

1928

1929

1930class ASN1F_OCSP_BasicResponse(ASN1F_SEQUENCE):

1931 def __init__(self, **kargs):

1932 seq = [ASN1F_PACKET("tbsResponseData",

1933 OCSP_ResponseData(),

1934 OCSP_ResponseData),

1935 ASN1F_PACKET("signatureAlgorithm",

1936 X509_AlgorithmIdentifier(),

1937 X509_AlgorithmIdentifier),

1938 MultipleTypeField(

1939 [

1940 (ASN1F_BIT_STRING_ENCAPS("signature",

1941 ECDSASignature(),

1942 ECDSASignature),

1943 lambda pkt: "ecdsa" in pkt.signatureAlgorithm.algorithm.oidname.lower()), # noqa: E501

1944 ],

1945 ASN1F_BIT_STRING("signature",

1946 "defaultsignature" * 2)),

1947 ASN1F_optional(

1948 ASN1F_SEQUENCE_OF("certs", None, X509_Cert,

1949 explicit_tag=0xa0))]

1950 ASN1F_SEQUENCE.__init__(self, *seq, **kargs)

1951

1952

1953class OCSP_ResponseBytes(ASN1_Packet):

1954 ASN1_codec = ASN1_Codecs.BER

1955 ASN1_root = ASN1F_SEQUENCE(

1956 ASN1F_OID("responseType", "1.3.6.1.5.5.7.48.1.1"),

1957 ASN1F_OCSP_BasicResponse(explicit_tag=0x04))

1958

1959

1960_responseStatus_mapping = ["successful",

1961 "malformedRequest",

1962 "internalError",

1963 "tryLater",

1964 "notUsed",

1965 "sigRequired",

1966 "unauthorized"]

1967

1968

1969class OCSP_Response(ASN1_Packet):

1970 ASN1_codec = ASN1_Codecs.BER

1971 ASN1_root = ASN1F_SEQUENCE(

1972 ASN1F_ENUMERATED("responseStatus", 0,

1973 _responseStatus_mapping),

1974 ASN1F_optional(

1975 ASN1F_PACKET("responseBytes", None,

1976 OCSP_ResponseBytes,

1977 explicit_tag=0xa0)))